If the item is not participating in a workflow, the user can edit the access under user-defined.

Workflow

If an item is participating in a workflow, then the user-defined option does not appear, and the workflow settings are displayed. This cannot be edited. Workflow-defined access is set in workflow stages.

NOTE: Published items and workflow-defined item security:

If you grant a user editor access to an item in a workflow stage that uses a publish action, then those users are able to edit the published item directly. No draft is created. The same is true for administrator defined security when applied to published items.

If you grant a user manager access to an item in a workflow stage that uses a publish action, then those users are able to edit and delete the published item directly. No draft is created. The same is true for administrator defined security when applied to published items.

If you grant a user approve access to an item in a workflow stage that uses a publish action, then those users are able to create drafts of the published item.

Administrator defined

Administrators can edit user access to an item at any time by changing the administrator defined settings.

Inheritance

You can also choose to inherit access assigned in the current Web content library, or from an item's parent. Inheritance for all user roles is enabled by default.

NOTES:

1.Security at the Library level, determines who can access the library

2.Security at the Library Resources Level (i.e.components, content, authoring template…etc.) determines what they can see and what functions (read, edit, delete, purge , etc) they can do.

3.User or group who have access to create the content should be able to do New->Content for the library to initially create the content. Then, depending on how the workflow is set up for the content, that user may or may not be able to edit the content because they may not included in the access control for the next workflow stage the content moves to.

b. In WCM, it is possible to filter who see a content element. To set permissions, go to the default content settings, expand the content element, and click Select editors or Select viewers. Content Elements inherit the permissions from the content resource type.

5.Create new item : The ability to create new items is set at the library level, not item level. You must have at least contributor access to a library and editor access to an item-type to create a new item. If you have access to create any item type, you can also create folders and projects.

6.Security Inheritance

i.Inheritance from a library is based on the role assigned to the overall library, not on the role assigned to specific item types. For example, you may not have access to the presentation template view on a library, but if you inherit the role of editor to a presentation template, you will be able to view and edit that presentation template from the All Items view

ii.Inheritance does not apply to draft items

7.Disabling inheritance :

i.By default, each role's access is automatically inherited down to each item in a library. To prevent a user or group from automatically having inherited access to an item, you will need to turn off inheritance on that item.

ii.Note: By default, inheritance is enabled for all roles and items. To disable automatic inheritance, edit the WCMConfigService.properties file located in the /PortalServer/wcm/shared/app/config/wcmservices/ directory.

iii.To disable automatic inheritance, set this value to “false”: default.inherit.permissions.enabled=false

iv.You will need to restart WebSphere Portal to enable any configuration changes made to this file

8.Work-Flow Security

i.A workflow in WCM is a process that is used to control item state and security

ii.Workflow stages determine the content security for a particular stage. (Do not confuse this with the security of the stage itself).

iii.Setting approve access is only available through the workflow stage

iv.A WCM "non-workflowed" item has only one state, which is published . A nonworkflowed item is represented by a gray icon close to the item.

v.In Draft workflow stage add the “group A” as editors on the content , so when all contents entered into this stage they automatically give access to that group.

vii.If the content is in the Draft stage, and user who is moving the object (click on next stage) to approve stage should have read access on the approve stage itself. Otherwise it will throw an unauthorized exception.

viii.Similarly authors will need 'approve' access on the 'draft' workflow stage to approve the content by themselves (to move to publish action).

ix.Authors can only add Read access to items after they are published, using the Additional Viewers when published button

b. Select the items you would like to batch-edit, and then click More Actions > Edit Access.

c. If you are assigning access to individual users or groups, edit the list of users or groups you would like to set security levels for.

i.To remove items, first select the required items from the item list, then click Remove

ii.To add items, click Add Search for and then select the users or groups you would like to add Security for. Click OK.

d. Select how to apply the new access levels:

i.The same access level changes the access level of the selected users or groups to the specific access level selected in step 5.

ii.Minimum access level changes the minimum access level of the selected users or groups to the access level selected in step 5. The access levels of a user can be raised, but not reduced.

iii.Maximum access level changes the maximum access level of the selected users or groups to the access level selected in step 5. The access levels of a user can be reduced, but not raised.

e. Select an access level.

f. Select inheritance options as required. If you select "ignore", no changes are applied to inheritance.

g. Select to apply these settings either to the Administrator Defined or User Defined access control settings.

h. Select Only change access for existing users or groups. Do not add any new users or groups to change the access level of users and groups have already been granted access to an item. No new users or groups are added.

i. Click OK to finish.

10.Disabling inheritance :

v.By default, each role's access is automatically inherited down to each item in a library. To prevent a user or group from automatically having inherited access to an item, you will need to turn off inheritance on that item.

vi.Note: By default, inheritance is enabled for all roles and items. To disable automatic inheritance, edit the WCMConfigService.properties file located in the /PortalServer/wcm/shared/app/config/wcmservices/ directory.

vii.To disable automatic inheritance, set this value to “false”: default.inherit.permissions.enabled=false

viii.You will need to restart WebSphere Portal to enable any configuration changes made to this file

a.Inside JCR, WCM libraries are organized in a hierarchy with a common root. The security roles set on the content library root are propagated to all libraries.

b.By default, only administrators have access to work with Web content libraries. To allow other users to work with Web content libraries, such as virtual portal administrators, you have to assign them access to the JCR content root nod

i.The permissions set for item types in a library do not automatically give you access to individual items. They only give you access to specific tasks and views within the authoring portlet . For example, a Manager to the Components type has access to the Purge and Unlock actions but, if that user does not also have Manager access to an individual component then the Purge and Unlock actions will not be enabled when that component is selected

ii.In production, not all user groups need to access every WCM feature. Like content authors doesn’t require “authoring templates” or “workflow” views..etc. By setting permissions at the item types we can accomplish use cases like that.

c.Item level : Item level access controls define the actions that a user can perform on an individual item.

i.library security is propagated by default to the library items. However, it is possible to override those permissions at the item level.

ii.Item level security management depends on whether the item has a workflow or not

1.Administrator defined security settings are provided for every item

2.If the item has a workflow, effective security settings are the combination of inheritance, administrator, and current workflow stage security settings

3.If the item does not have a workflow, effective security settings are the combination of inheritance, administrator, and user security

iii.Five different access levels (user, contributor, editor , manager and Approver) can be granted to every WCM item (Approver is only for the items that participate in workflow).

iv.Workflow settings depend on the current workflow stage and cannot be edited

Use Case:
When you have WCM content viewer portlet on the multiple pages with same configuration like right rail portlets (support or contact us …etc) where its configured with same content items or JSP component (context will be depend on the sitearea associated with page ..etc).

Steps

1. Clone the Web Content Viewer – (JSR 286) portlet and name that like “CMP-FeaturedArticles” based on requirement

2. Once you clone the portlet , Click on the configure portlet and set the following preferences based on requirement.

3. Add the following preferences

4. Now you can add instance of this portlet on any page , all instances will get same preferences or WCM configuration. This will reduce effort to configure the each portlet instance manually.

NOTE :

1. You can pass different set of preferences , to identify exact key value pairs export sample page with WCM portlet configured manually or Click Here for the full list of XML configuration interface parameters for the JSR 286 web content viewer.

2. If you are using the Web content pages (portal pages with content mapping) then context of the page will be the sitearea attached.